‘Mr. Robot’ Rewind: Analyzing Fsociety’s hacking rampage in Episode 8

[Spoiler Alert] This article discusses plot points and hidden secrets of Mr. Robot, Season 2, Episode 8, eps2.6_succ3ss0r.p12. If you haven’t watched it yet, check it out on USA Network, Amazon, or iTunes before coming back to learn about its hackuracy.

Mr. Robot is a rare entertainment triple threat. It maintains a gripping storyline, is crafted with unique artistic vision, all while still incorporating a nearly obsessive level of technical accuracy. This series’ portrayal of hacking and information security is so precise that you can learn from it. So let’s analyze the hackuracy of this week’s episode.

Wow! An entire episode without one appearance of the main character (and hacker) Elliot or his alter ego. This could have been problematic for an article series based on analyzing the hacking in the show, but luckily Darlene and the Fsociety crew came through. In the end, this episode had more hacks than average.

Popping Mobley’s Phone with Stagefright

The episode almost immediately starts off with a hack. In a flashback, we see Mobley meet a cute girl in a coffee shop, who we already know to be Trenton, his future fellow Fsociety hacker. As Mobley lamely tries to drum up conversation with Trenton, stumbling onto the topic of mobile phone operating system preferences, she actually sets up an Android hack. To entice him to the malicious site that triggers the attack, she challenges him to a mobile speed test by sharing a link to a fake benchmarking site. He falls for it and his mobile gets pwned.

Figure 1: Phishing Mobley with fake benchmark site.

Could all this have happened? Absolutely! In fact, the tools used in this scene are completely real. If you paid close attention to Trenton’s screen during her hack, you’d see she’s exploiting the Android Stagefright issue. Stagefright was a critical series of vulnerabilities in Google’s Android operating system that researchers disclosed last year. Attackers could leverage these flaws to gain full control of Android devices, sometime without any user interaction. In one case, just sending an MSS message to the phone would suffice.

Figure 2: Trenton’s Stagefright hack.

Besides accurately referencing Stagefright, Trenton is actually using a real world exploit that was released publicly for the Stagefright vulnerabilities. While the Stagefright vulnerabilities affected a huge range of Android phones, this particular exploit was only designed to target Nexus devices. However, the show even covers that limitation since they already established that Mobley is a Nexus user.

This exploit generates a media file that attackers must somehow deliver to the targeted device. Trenton picks a web-based delivery vector. She tricks Mobley into visiting a fake benchmarking site. In the industry, we call this web-based attack vector a “drive-by download attack,” and it is very common.

As a security professional, I was well aware of Stagefright, and the publicly released exploit the show used, which I first found with a simple Google search. However, the show’s dedication to accuracy goes even deeper. If you pay close attention to the screenshots above, you’ll find some Easter eggs that lead you to a site with another hidden puzzle. I later learned the solution to that puzzle is the link to exploit the show used. Very meta.

Hijacking FBI Conference Calls and Prism Unveiled

Last episode, Angela and Fsociety completed their FBI hack, giving them access to FBI phones. One of the first things they find using this access is an internal FBI email for a conference call meeting. With this email, they have the code for that call, and easily log in to eavesdrop on the conversation.

Figure 3: FBI conference call code.

If you work in an office, you probably attend these sorts of calls all the time, and you know that your email with that “code” is really all you need to get in. So this attack is quite plausible. I have seen people argue that the FBI should have heard the tone when new callers join, and should have realized that they had more callers than expected. However, I think those details are easy the miss. Furthermore, I can say for certain this attack vector is realistic because something just like it really happened.

In 2012, members of a hacktivist group related to Anonymous, LulzSec, released a recording of an FBI conference call. The FBI never shared exactly how these hacktivists got onto their call, but experts presumed that they somehow got access to the email with the call details. In short, this Fsociety scenario is real.

What Fsociety learns on this call also parallels the real world. During this scene, we learn that Operation Berenstain is about the FBI carrying out mass surveillance and backdooring mobile phones. Furthermore, Fsociety finds that companies like Ecorp, Google, Apple, Verizon, and others are complicit in aiding the FBI’s surveillance. Sound familiar? It should. All of it parallels the NSA secrets Edward Snowden leaked, such as Operation PRISM.

Physical Access == Game Over

During the last hack of the episode, Fsociety tried to dig up dirt on Susan Jacobs. When she returned home and found the hackers squatting there, they were forced to kidnap her. They figured if they could find something to blackmail her with, they could release her knowing she couldn’t report them. Luckily, she had her laptop and phone with her, so the Fsociety hackers had a chance to flex their forensic muscles.

The scene flashes between images of the team plugging USB devices into Jacobs laptop and phone, and screens of various forensic, password and data recovery tools. I won’t analyze every shot, but the overall gist of this scene is all very realistic. If an attacker or law enforcement can physically get their hands on your computer, it’s often game over. There are many techniques they can use to access your data.

For instance, one method we see in this scene is the Offline NT Password and Registry Editor. This is an old tool designed to allow you to change the administrator password of a Windows machine if you forgot your password. Using a bootable CD or USB key, the tool boots your Windows computer in Linux, mounts the Windows partitions, and then makes the filesystem and registry changes necessary to change your admin password.

Figure 4: Offline Password and Registry Editor.

We also see the team use various Android forensic and data recovery tools to pull emails and other data off her Android device. I personally don’t recognize the ones in the screenshots, but I am aware of many similar tools that exist. But it is getting harder to pull data off mobile devices without first getting past their lock screen. Today’s mobile operating systems encrypt data on the storage device. When your passcode is in play, the device’s data is encrypted, and often isn’t available to these data recovery tools until you unlock the device. That said, I’ll give Fsociety the benefit of the doubt by assuming they had some way around this.

By the way, once they had access to Jacobs’ computer and mobile phone, they started using them to gather passwords and more data to gain access to all her social media and email accounts. The techniques they used here were quite real too. For instance, once they had access to her email, they could leverage the common “forgot you password” trick, and later we even see Trenton find a password on a sticky note (classic).

Figure 5: Password recovery tricks.

Many accurate tech details throughout

As always, Mr. Robot’s technical accuracy extends beyond the hacks to many subtle details. Here are a few highlights:

Before uploading their Fsociety hacktivist video to Vimeo, Trenton is smart enough to wipe the video’s metadata. Anytime you create digital media, the tools you use often leave small bits of digital evidence that could help authorities learn about you (what camera you used, your geo-location, time of day, software used, etc.). Trenton uses a very real ffmpeg command to actually wipe this meta data. I also assume Darlene’s use of analog VHS equipment is intended to help throw authorities off. We also see Dom later using ffmpeg to split Fsociety’s video into individual screenshots. This could become important in a later episode.

Fsociety also uses a Tor browser package to upload the video to Vimeo, further covering their tracks.

Mobley uses an unlocked bootloader to wipe his Android device. Before doing this, we also see him use Wickr, a real end-to-end encryption app, to message Trenton before dumping his phone.

As usual, there were many technical Easter eggs from this episode, including one that delivers a mocked up version of Trenton’s CLI during the Stagefright hack. Many of these Easter eggs contain their own secrets as well. I’ll leave it up to you to find them, but if you need help, this Reddit link covers many.

Can TV make you an InfoSec Pro?

There are several minor security tips I could share from the hacking in this episode, but I think one overarching theme from the Jacobs hack is most important.

Physical access is king!

As you secure your digital assets, don’t forget to also secure them physically. While encrypted devices with secure boot are getting much harder to hack, physical access gives hackers a HUGE advantage in peeling open your device. Make sure to set passcodes on all devices and try your best to keep thieves from physically accessing your devices. Also, when you walk away from your computer, don’t forget to lock your screen, or at least set a short delay on a screen saver.

This was another great Mr. Robot episode. It illustrates exactly how entertainment can become edu-tainment by remaining accurate and compelling at the same time. Looking forward to your comments, feedback, and thoughts below. Join us next week for another installment of Mr. Robot Rewind.

Corey Nachreiner, CTO at WatchGuard Technologies, regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the Secplicity Community, which provides daily videos and content on the latest security threats, news and best practices. A Certified Information Systems Security Professional (CISSP), Corey enjoys "modding" any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word.